Bug 8001

Summary: cidafm() integer overflows
Product: xorg Reporter: Daniel Stone <daniel>
Component: Server/GeneralAssignee: X.Org Security <xorg_security>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: high CC: alan.coopersmith, dberkholz, matthieu.herrb, sndirsch
Version: gitKeywords: security
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Daniel Stone 2006-08-25 08:55:55 UTC 
i'm so very happy.  no embargo date as yet.  quoting idefense:
Local exploitation of an integer overflow vulnerability in the 'CIDAFM()'
function in the X.Org and XFree86 X server could allow an attacker to
+execute arbitrary code with privileges of the X server, typically root.

The vulnerability specifically exists in the 'CIDADM()' function of the code
responsible for handling AFM (Adobe Font Metrics) files. The number of character
metrics is obtained from the "StartCharMetrics" line of an AFM file and that
value is then multiplied by the size of a single character metric record in
order to calculate the space required to store the metrics. If the result of the
multiplication is larger than the largest value that can be held in an integer,
the amount actually allocated will be much smaller. Following this, the function
attempts to read as many metric records as were specified on the line into that
memory. As the contents of the file can be specified by a local user, and as the
function will stop reading if an error is detected in the input, a controlled
heap overflow may occur which may allow the execution of arbitrary code.
Comment 1 Alan Coopersmith 2006-08-28 14:16:26 UTC 
*** Bug 8005 has been marked as a duplicate of this bug. ***
Comment 2 Matthieu Herrb 2006-09-01 02:47:37 UTC 
This is CVE-2006-3739
Comment 3 Alan Coopersmith 2006-09-13 15:48:29 UTC 
Patches committed and advisory released.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.